Re: OSI...Please help... [7:51235]
You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ - Get a bigger mailbox -- choose a size that fits your needs. http://uk.docs.yahoo.com/mail_storage.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51239t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSI...Please help... [7:51235]
=?iso-8859-1?q?maine=20dude?= wrote: Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? They refer to the protocols. Don't worry too much about the stack. The TCP/IP stack is just as elusive and harmful to learning as the OSI stack. (Just kidding. I think they are good for learning, actually, but you have to go beyond them, as you know.) I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ The statement at the end (access-list 101 permit ip any any) is to avoid problems with the implicit deny at the end of every access list. If you don't put something like that, everything will be denied as soon as you have any access list. The good news is that you don't really have to be specific in that final statement if you don't want to be. You don't have to specify any IP addresses and you don't have to specify anything above IP. The other good news is that essentially everything (except ARP and IS-IS) in an IP network runs above IP. When you want to be more specific then you'll have to know things like the following info. The following protocols run directly above IP Protocol Protocol Number in Decimal ICMP 1 IGMP 2 IP 4 (IP-in-IP tunneling) TCP 6 IGRP 9 UDP 17 GRE 47 ESP 50 AH 51 EIGRP88 OSPF 89 The following protocols run above TCP Service Port Number in Decimal FTP 21 for control, 20 for data Telnet 23 SMTP 25 DNS 53* Gopher 70 Finger 79 HTTP 80 POP 110 NNTP 119 NetBIOS 139* (Session) BGP 179 LDAP 389 SSL 443 NCP 524* AFP 548 * DNS uses TCP for large transfers, but otherwise uses UDP. * NCP and NetBIOS also use UDP for some purposes The following protocols use UDP: Service Port Number in Decimal DNS 53 DHCP 67 for the DHCP server, 68 for the DHCP client TFTP 69 RPC 111 NetBIOS 138 (Datagram) SNMP 161 AURP 387 SLP 427 RIP 520 NCP 524 One place to go to learn protocol types and port numbers is the Internet Assigned Numbers Authority documents. Unfortunatley, they tend to list every protocol as using TCP and UDP, since theoretically they could. So it takes experience to learn which one is really used in the real world. (Experience or reading my books! ;-) The IANA documents are here: http://www.iana.org And it also takes experience to learn about the protocols that misbehave in various ways. FTP is especially ugly. There's more info FTP here: http://www.troubleshootingnetworks.com/ftpinfo.html TFTP is almost impossible to permit, although possible to deny. This is because only the first packet uses a well-known port number (69). After that the packets go to and come from non well-known port numbers, meaning that you can't do a good permit access list. Deny works because TFTP won't work if you deny the first packet, which does use the well-known port number I'll have to do a white paper on that too, at some point! That's all for now! Good luck. Try to see it as fun, not frustrating! Priscilla Oppenheimer http://www.priscilla.com - Get a bigger mailbox -- choose a size that fits your needs. http://uk.docs.yahoo.com/mail_storage.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51242t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
the first one specifies tcp and the second one includes any upper protocols encapsulated in ip packets. - Original Message - From: maine dude To: Sent: Monday, August 12, 2002 12:16 PM Subject: OSI...Please help... [7:51235] Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ - Get a bigger mailbox -- choose a size that fits your needs. http://uk.docs.yahoo.com/mail_storage.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51243t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
At 4:35 PM + 8/12/02, John Neiberger wrote: You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ Trust me. IP designers did not have OSI compliance in mind. And to be picky, John, ICMP isn't a transport protocol. It is a control/management protocol at the network layer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51247t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
Good point! Forgive me, I'd only had one cup of coffee when I wrote that. Usually I need at least three before my explainer works correctly. John Howard C. Berkowitz 8/12/02 11:39:12 AM At 4:35 PM + 8/12/02, John Neiberger wrote: You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ Trust me. IP designers did not have OSI compliance in mind. And to be picky, John, ICMP isn't a transport protocol. It is a control/management protocol at the network layer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51253t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
At 6:16 PM + 8/12/02, John Neiberger wrote: Good point! Forgive me, I'd only had one cup of coffee when I wrote that. Usually I need at least three before my explainer works correctly. John You bring up an interesting question. Could we have predicted our industry crash by monitoring coffee consumption by accountants, vendors, or venture capitalists, etc.? There _ought_ to be a correlation. Howard C. Berkowitz 8/12/02 11:39:12 AM At 4:35 PM + 8/12/02, John Neiberger wrote: You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ Trust me. IP designers did not have OSI compliance in mind. And to be picky, John, ICMP isn't a transport protocol. It is a control/management protocol at the network layer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51255t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
Did you see the movie Pi? :) Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: OSI...Please help... [7:51235] Sent by: nobody@groupst udy.com 08/12/2002 03:02 PM Please respond to Howard C. Berkowitz At 6:16 PM + 8/12/02, John Neiberger wrote: Good point! Forgive me, I'd only had one cup of coffee when I wrote that. Usually I need at least three before my explainer works correctly. John You bring up an interesting question. Could we have predicted our industry crash by monitoring coffee consumption by accountants, vendors, or venture capitalists, etc.? There _ought_ to be a correlation. Howard C. Berkowitz 8/12/02 11:39:12 AM At 4:35 PM + 8/12/02, John Neiberger wrote: You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ Trust me. IP designers did not have OSI compliance in mind. And to be picky, John, ICMP isn't a transport protocol. It is a control/management protocol at the network layer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51259t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
Hmmm, that explains why my explianer is unexplainable, I don't like coffee :) Dave Howard C. Berkowitz wrote: At 6:16 PM + 8/12/02, John Neiberger wrote: Good point! Forgive me, I'd only had one cup of coffee when I wrote that. Usually I need at least three before my explainer works correctly. John You bring up an interesting question. Could we have predicted our industry crash by monitoring coffee consumption by accountants, vendors, or venture capitalists, etc.? There _ought_ to be a correlation. Howard C. Berkowitz 8/12/02 11:39:12 AM At 4:35 PM + 8/12/02, John Neiberger wrote: You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ Trust me. IP designers did not have OSI compliance in mind. And to be picky, John, ICMP isn't a transport protocol. It is a control/management protocol at the network layer. -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51261t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
At 4:14 PM -0400 8/12/02, [EMAIL PROTECTED] wrote: Did you see the movie Pi? :) No, but I like pi with coffee. It's just rarely on my blueprint...I mean, diet. At 6:16 PM + 8/12/02, John Neiberger wrote: Good point! Forgive me, I'd only had one cup of coffee when I wrote that. Usually I need at least three before my explainer works correctly. John You bring up an interesting question. Could we have predicted our industry crash by monitoring coffee consumption by accountants, vendors, or venture capitalists, etc.? There _ought_ to be a correlation. Howard C. Berkowitz 8/12/02 11:39:12 AM At 4:35 PM + 8/12/02, John Neiberger wrote: You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ Trust me. IP designers did not have OSI compliance in mind. And to be picky, John, ICMP isn't a transport protocol. It is a control/management protocol at the network layer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51262t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSI...Please help... [7:51235]
Howard C. Berkowitz wrote: At 6:16 PM + 8/12/02, John Neiberger wrote: Good point! Forgive me, I'd only had one cup of coffee when I wrote that. Usually I need at least three before my explainer works correctly. John You bring up an interesting question. Could we have predicted our industry crash by monitoring coffee consumption by accountants, vendors, or venture capitalists, etc.? There _ought_ to be a correlation. How about caffeine consumption by gamers (i.e. programmers, Web designers, etc. at dot coms? ;-) Did you happen to see the article from the Mercury News yesterday about a drink favored by gamers called BAWLS (seriously). It's a sweet drink with 80 milligrams of caffeine in a 12-ounce bottle. More here: http://www.bayarea.com/mld/bayarea/business/technology/3842507.htm Priscilla Howard C. Berkowitz 8/12/02 11:39:12 AM At 4:35 PM + 8/12/02, John Neiberger wrote: You're putting too much thought into this. :-) The ip keyword will match any ip packet regardless of the transport layer protocol being used. You use the tcp, udp, and icmp keywords when you want to be even more specific. HTH, John maine dude 8/12/02 10:16:19 AM Please help... In the example :access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftpaccess-list 101 permit ip any any Do the terms tcp and ip refer to the individual protocols or the stack ? I assume they refer to the individual protocols as you could substitute them with udp or icmp but then surely the last statement would allow only the individual ip protocol and therefore all other packets such as tcp , udp, icmp would be filtered. Or does tcp , udp , icmp get through because it is encapsulated in ip ? ( I hate the OSI model ) -DJ Trust me. IP designers did not have OSI compliance in mind. And to be picky, John, ICMP isn't a transport protocol. It is a control/management protocol at the network layer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51263t=51235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]